The privacy watchdog on Thursday said it had given the Urban Renewal Authority (URA) a warning letter for breaching data protection laws in May last year.

It comes after the Office of the Privacy Commissioner for Personal Data (PCPD) completed its investigation into the incident and released its findings in a report on Thursday.

According to the PCPD, the phone numbers, names and addresses of nearly 200 people, affected by the redevelopment plan for Nga Tsin Wai and Carpenter roads in Kowloon City, were leaked and exposed.

Privacy Commissioner Ada Chung said the leak covered the data of owners and tenants who registered for briefing sessions about the project and who filled out online registration forms stored on a cloud platform.

She said her office's probe found the URA and its contractor had failed to update a piece of software, generating the forms, to its latest version, which would have offered stronger protection.

Chung said the URA also did not have a thorough understanding of the software, and therefore she ruled the development body had violated a legal clause on the security of data.

"The Privacy Commissioner found that the URA had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use," she said in a statement.

The commissioner also updated her office's guide on the use of online cloud services as they become more popular.

These include encrypting the personal data stored on cloud, ensuring that only authorised persons can access the data, and ensuring that service providers delete or return the data held when the service contract is over.

The URA said in response it would study the commissioner's report in detail, adding that it had implemented a series of measures to strengthen data protection.

These include asking the contractor to give timely notifications on product updates, optimising the work flow on handling personal data and appointing a firm to conduct an information security audit.

The authority added it would seek to minimise the chances of a repeat of similar incidents.

"[The URA will] strive to establish a more robust privacy security framework and a corporate culture that values the protection of personal data," it said in a statement.